GDPR

The EU’s General Data Protection Regulation, which went into effect on May 25, imposes new data privacy obligations on all organizations that process the data of EU citizens, whether or not they are based in Europe themselves. The maximum penalties for noncompliance are hefty, so it is essential for businesses to ensure that their practices are GDPR-compliant if they haven’t already.

With every organization doing a huge amount of work for the first time and trying to get right with the GDPR as quickly as possible, this makes for a fertile environment for bad information to circulate and for opportunists to take advantage of organizations’ unfamiliarity with the new regulatory terrain. Organizational leaders need to be vigilant about which “experts” to trust for guidance on GDPR compliance, take advantage of the information provided directly by the European Commission, and bear in mind that different functions, particularly HR, face unique compliance challenges.

Step 1: Beware of Charlatans

The proliferation of bad advice and information is a simple matter of supply and demand. Demand for advice is high, both because of the global impact of the GDPR and because so many organizations were not proactive in planning for compliance are now scrambling to catch up. The supply of that advice is scarce and of uneven quality, with no historical track record of performance. Over the past few months, many companies have been assembling data protection functions and hiring data protection officers (DPOs), causing a run on the thin supply of qualified talent for these roles.

The EU’s upcoming General Data Protection Regulation (GDPR), which is scheduled to come into force on May 25, expands the reach of existing privacy regulations, applying not just to European organizations but to all companies processing the personal data of EU residents, no matter where the company is located. It also requires organizations to request users’ consent for data collection and grants EU citizens a number of new rights, including the right to access data collected about them and the “right to be forgotten,” or to have that data erased. Organizations caught violating the regulation risk fines of as much as 4 percent of their annual global turnover or 20 million euros.

The main job for HR on these projects is to make sure EU employees and recruits are given notice describing what personal data the company is collecting, how it is being used and how it will be shared and kept. [Neal Dittersdorf, general counsel and privacy officer for iCIMS,] noted that many companies already provide data notifications to these workers, however HR needs to be certain the language and timing of these notifications is updated to reflect GDPR requirements. …

The EU’s General Data Protection Regulation (GDPR), which is scheduled to come into force on May 25, represents a massive overhaul of data privacy law throughout the bloc. The GDPR expands the reach of existing privacy regulations, applying not just to European organizations but to all companies processing the personal data of EU residents, no matter where the company is located. It also requires organizations to request users’ consent for data collection “in an intelligible and easily accessible form,” while granting EU citizens a number of new rights, including the right to access data collected about them and the “right to be forgotten,” or to have that data erased. Organizations caught violating the regulation will be fined as much as 4 percent of their annual global turnover or 20 million euros.

With the enforcement date of this massive new regulation just months away, “data protection officers are suddenly the hottest properties in technology,” Reuters’ Salvador Rodriguez reports:

More than 28,000 will be needed in Europe and the US and as many as 75,000 around the globe as a result of GDPR, the International Association of Privacy Professionals (IAPP) estimates. The organization said it did not previously track DPO figures because, prior to GDPR, Germany and the Philippines were the only countries it was aware of with mandatory DPO laws.